Room for improvement in cyber resilience – Zurich survey

There’s a lot of room for improvement in building cyber resilience, according to a new report from Zurich North America and Advisen.

The companies have released their 11th annual Information Security and Cyber Risk Management Survey, which polled corporate risk managers and insurance buyers on their views about information security and cyber risk management. This year’s survey featured the highest percentage of cyber insurance buyers since the survey began 11 years ago, with 83% of respondents carrying some level of cyber insurance. The survey results indicated that risk professionals were increasingly aware of growing cyber risks and the need to manage them. However, Zurich said there was still much room for improvement in building cyber resilience.

65% of respondents have invested in cybersecurity tools to mitigate risk, Zurich said. However, that means that 35% of respondents have not.

“At Zurich, we have been advocating for increased cyber resilience among businesses for years, so seeing a continued increase in take-up rate and strengthening risk mitigation efforts is very encouraging,” said Michelle Chia, head of professional liability and cyber at Zurich North America. “The survey results also tell us, however, that more work needs to be done to increase cyber resilience, and we are committed to providing businesses the resilience strategies they need through education and support.”

The survey revealed gaps in mitigation efforts – especially those related to risk monitoring, employee training and vendor risk assessment.

• Risk monitoring: Most risk managers responding to the survey were not monitoring cyber threats frequently enough. 32% of respondents said that they monitored for cyber threats monthly, and 28% said they monitored only quarterly.
• Vendor risk assessment: Only 52% of survey respondents said that vendor risk assessment was part of their mitigation plans. Respondents also categorized business interruption due to technology failures or supplier cyber disruptions as only moderate concerns. However, cyber criminals are increasingly using third-party vendors to launch broader attacks, so companies should be aware that vendor risk is not an area to be ignored, Zurich said.
• Employee education: Human error is a major driver of successful cybersecurity breaches. However, only 17% of survey respondents said their companies offered cybersecurity training on a monthly basis. Annual training was the most common response at 30%, followed by quarterly training at 25%.

This year, the survey featured questions on ransomware for the first time. 80% of respondents said they felt very or moderately prepared to deal with a ransomware attack. However, respondents also said they worried that no matter how much they prepared, it would not be enough to fully overcome a ransomware event, with many citing the “unknowns” surrounding ransomware.

“While our cyber risk security efforts seem very robust, it’s difficult to know what we don’t know,” one respondent said.

Other key findings include:

• The hard cyber insurance market is causing worries on all fronts, including retention, limits, prices and coverage. Respondent comments show significant concern about a “completely dislocated” cyber insurance market with triple-digit rate increases, shrinking coverages, and scepticism over whether insurers adequately analyze effective loss-prevention measures.
• Buyers’ frustration with the cyber insurance market’s policy wording varies from carrier to carrier, making it difficult for policyholders to compare solutions.

“This survey reveals that customers are concerned with the changing market and what it will mean to their renewal process,” Chia said. “Risk managers are looking for coverage that protects their business at the right price, and are also looking for solutions to mitigate their risk. With so many unknowns, they may find that the answers to business resilience are right in front of them in the form of risk mitigation.”